In the Linux kernel, a vulnerability (CVE-2021-46938) was discovered and recently fixed. This vulnerability pertains to the double free of blk_mq_tag_set in the device remove operation after a failed table load. Specifically, this issue occurs when loading a device-mapper table for a request-based mapped device, and the allocation/initialization of the blk_mq_tag_set for the device fails, which then causes a double free in a subsequent device removal operation.

...
device-mapper: core: Cannot initialize queue for request-based dm-mq mapped device
device-mapper: ioctl: unable to set up device queue for new table.
...
Kernel panic - not syncing: Fatal exception: panic_on_oops

To resolve this vulnerability, the developers updated the error-handling process by setting the pointer to NULL in both dm_mq_init_request_queue() and dm_mq_cleanup_mapped_device(). This ensures that the uninitialized/freed blk_mq_tag_set does not cause a double free when the dev_remove() function later accesses it.

Here's the relevant change in the source code for fixing this vulnerability

// dm_mq_init_request_queue() error-handling
if (ret) {
  blk_mq_free_tag_set(&md->tag_set);
  md->queue = NULL;
}
...
// dm_mq_cleanup_mapped_device()
if (md->queue) {
  blk_mq_free_tag_set(&md->tag_set);
  md->queue = NULL;
}

This fix prevents a double free vulnerability from occurring in cases where the allocation/initialization of the blk_mq_tag_set fails during the device-mapper table load process.

For more information about this vulnerability and the fix applied, refer to the following resources

1. CVE-2021-46938: NVD Detail
2. Linux Kernel Source Code
3. Linux Kernel Mailing List Patch Discussion

For system administrators, it is important to apply the appropriate Linux kernel updates to avoid potential exploitation of this vulnerability. As always, please ensure that you stay up to date on security patches and advisories for the systems you manage.

Timeline

Published on: 02/27/2024 19:04:05 UTC
Last modified on: 04/10/2024 19:20:55 UTC